CVE-2026-42137

medium

Published 2026-04-30 · Modified 2026-04-30

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2

—

VIR risk

6.5

Description

Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/getkirby/kirby/releases/tag/5.4.0

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/getkirby/kirby/releases/tag/4.9.0

Ecosystem	Package	Vulnerable	Fixed
Packagist	getkirby/cms	`>=5.0.0,<=5.3.3\|<=4.8.0`
Packagist	getkirby/cms	`<4.9.0`	`4.9.0`
Packagist	getkirby/cms	`>=5.0.0,<5.4.0`	`5.4.0`
COMPOSER	getkirby/cms	`>= 5.0.0, <= 5.3.3`	`5.4.0`
COMPOSER	getkirby/cms	`<= 4.8.0`	`4.9.0`

Vendor	Product	Versions	Fixed
getkirby	kirby	`{"endExcluding":"4.9.0"}`	`4.9.0`

CWE-862 CWE-863

Verify integrity in audit chain (admin only). AS-IS.